When documents are filtered, any access controls on a document are kept in the catalog and checked against client permissions when a query is processed. If a client does not have access to a document, the document will not be included in any of the client’s query results; there will be no indication that the document exists. In order to avoid the appearance of missing hits, a user should be properly authenticated before processing a query.
If a document has an ACL that triggers auditing of access attempts, an audit will be generated when the document is filtered (according to the ACL, if System access is to generate an audit record). An audit record will not usually be generated when a document is examined for possible inclusion in a query result. If a document matches a query, and the client subsequently examines the document, an audit record will be generated according to the ACL.